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1. Introductions and apologies 


1.1. Sally Hanson, the Interim Head of Finance, was 
welcomed to this, her first, ICO Audit Committee meeting. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Minutes and action points from the Audit Committee 
meeting of the 7 December 2015 


ce Be The minutes had been agreed previously and had been 
published. They were presented here for information. 


3.2. All of the action points had been cleared. 


4. Commissioner’s update 


4.1. The Commissioner provided an update on matters 
currently affecting the ICO. In particular the ICO was 
entering a period of considerable change; prompted by the 
EU data protection reforms. The General Data Protection 
Regulation was expected to be finalised by June followed by a 
two year implementation period. The regulation would result 
in changes to what the ICO does and work was starting now, 
as part of a Change Programme (led by Simon Entwisle), to 
ensure that the ICO was prepared internally but also was able 
to advise data controllers now on what they needed to do to 
prepare. 


4.2. The ICO was working closely with the Department for 
Culture Media and Sport (DCMS); the department would have 
to amend UK legislation to help enable the reforms. 


4.3. As part of the Change Programme the ICO was aiming 
to involve and engage with staff as much as possible. 


4.4. The Regulation would remove the obligation for data 
controllers to register. The ICO had therefore been discussing 
with government the need for a new funding system. There 
are at least two financial years before the EU data protection 
reforms would be implement and changes needed to the ICO 
funding structure. 


4.5. The Commissioner’s tenure ends on 28 June. Simon 
Entwisle, as Deputy Commissioner, would stand in for the 
Commissioner if a new appointee is not in post as of 29 June. 
However an announcement on the government’s preferred 
candidate is expected shortly and it was hoped that any gap 
would not be too long. Work had already started on preparing 
for the induction of the new Commissioner. 


4.6. The Commissioner also advised that debate about Safe 
Harbor and the new Privacy Shield continued; the 


Investigatory Powers Bill had been re-introduced into the 
Commons last week; and the ICO had already provided 
advice to those involved in campaigning for the EU 
referendum on use of personal data. In addition the Freedom 
of Information Commission had recently reported, and had 
recommended some minor changes to the freedom of 
information regime. 


4.7. There was no news to report on publication of the 
Triennial Review. The ICO was however taking part in a 
sectoral review of regulators. 


4.8. The Commissioner announced he would be taking up 
the un-salaried position of Vice President of the Council of 
Liverpool University on leaving the ICO. The Commissioner 
advised the Committee that following the end of his tenure as 
Commissioner he would not be representing organisations to 
the ICO for at least 12 months. 


. Risk management 
5.1: The register was introduced for comment. 


5.2. It was suggested that there was a need for discussion 
on risk appetite as, in some risk areas, the risk status the 
ICO was aiming for was thought unachievable. 


Action point 1: Peter Bloomfield to bring discussion on 
risk appetite to a forthcoming Management Board. 


. Finance 


January income and expenditure report 


6.1. The January report was presented for discussion. The 
ICO’s position was as expected, a view supported by 
indicative February figures. The ICO anticipated £18m fee 
income for the year with a budget surplus of approximately 
£700k. Any surplus is handed back to the Consolidated Fund 
via the DCMS at year end. DCMS was aware that there will be 
a handback to the Consolidated Fund this year. 


6.2. The settlement letter for grant in aid of £3.75m pa for 
the next three years is expected shortly. The capital limit will 
be £650k pa. This agreement put the ICO in a good position 
to implement the major changes it was expecting. 


6:3: It was confirmed that capital allocation was undertaken 
at year end. However a running total was being kept and 
capital expenditure was broadly in line with expectations. 


6.4. The government procurement card bills which had been 
going to the Ministry of justice (MOJ) had now been accessed. 
The ICO was moving to a DCMS card scheme shortly. 


Retaining of costs accrued in the recovering of civil monetary 
Penalties 


6.5. The Committee was updated on the possibility of its 
retaining some of the civil monetary penalties collected to 
help meet the cost of chasing payment. It was felt that the 
primary legislation needed to allow this was unlikely to be 
considered by government. 


7. Outstanding audit recommendations 


ZL: An update on the internal and external audit 
recommendations was given, in particular on progress in 
agreeing the Management Framework and on the staff 
performance management recommendations. 


7-2; The ICO confirmed that it was working to the old 
Framework Agreement with the MOJ pending agreement with 
DCMS n the new Management Framework. The ICO was 
checking with the DCMS on the applicability of expenditure 
controls if these were unclear. 


7:3: The Audit Committee agreed this general approach. 


8. Internal audit 
Finance review 


8.1. Grant Thornton detailed their review of financial 
operations. The overall opinion was rated amber with two 
medium findings related to segregation of duties and access 
rights to the new finance system. Changes were being made 
to meet the recommendations but it was not expected that 
the recommendations would be cleared until later in the year. 
In light of the status of these actions the Committee asked if 
they could be met earlier. Sally Hanson noted these concerns 
and advised that in respect of the access rights these had 
been amended immediately except for the rights relating to 
one person who needed access to make changes. There were 
however tight controls in place over this access. 


Action point 2: Phil Keown and Sally Hanson to confirm 
the position on current access rights and to advise 
members on this as soon as possible. 


8.2. The Committee also questioned use of the phrase “BACs 
payments” in the review. It was confirmed that the review 
actually related to “fast pay”. 


Action point 3: Grant Thornton to amend the review 
wording from BACs to “electronic payments other than 
DD”. 


Audit plan 2015/16 update 


8.3. Grant Thornton provided an update on the Core 
Operations review. Feedback on the impact of Project Eagle 
changes had been sought and a draft report was now being 
prepared. The general tone of the feedback was that 
organisations were content about the investigations the ICO 
undertook but wanted more clarity about how the results 
were published. 


8.4. Given the nature of the review and the timing it was 
agreed to bring the review to the April Management Board, 
copying in Audit Committee members. 


Action point 4: Grant Thornton to finalise the review 
and Peter Bloomfield to ensure it is brought to the 
April Management Board, copied to Audit Committee 
members. 


Draft audit plan 2016/17 


8.5. The Senior Management Team (SMT) had fed into 
discussion of the internal audit plan for 2016/17; the second 
year of what had been a two year plan. Two items remained 
outstanding from the original plan. These were work on 
registration fee forecasting and on the share point 
implementation as an advisory piece. These could fall into an 
audit plan for 2017/18 along with any identified assistance on 
the theme of implementing change. An additional topic could 
cover ICO security audits. 


8.6. The Committee agreed the audit plan for 2016/17 and 
asked for a shadow 17/18 plan to come to the next 
Committee meeting. Doing so would help provide the new 
Commissioner with a view as to what was coming. A view on 
the expected number of days audit required for the ICO 
would also be useful. 


Action point 5: Grant Thornton and Peter Bloomfield to 
liaise and ensure a shadow 17/18 plan was brought to 
the June Audit Committee meeting as requested. 


8.7. It was confirmed that 2016/17 was the last year of the 
current contract with Grant Thornton for provision of the 
internal audit function. 


9. External audit 


9.1. James Edmands attended for this item by telephone. He 
advised that BDO had undertaken income testing covering for 
the last 9 months and no significant findings had been made 
at this stage. It had however been noted that the ICO had 
stopped its testing of registration fee payments. This did not 
affect the external audit opinion but such testing was thought 
useful for internal ICO purposes. 


9.2. David Eagles noted that some data protection 
conference income was still being offset against expenditure. 
The reliance on the Head of Finance position in respect of the 
new finance system was also noted. 


9.3. Simon Entwisle advised that the ICO had re-started 
checking registration fees, and in respect of segregation of 
duties there were interim measures in place and the new 
Management Accountant was in post which helped matters. 


9.4. The NAO also noted that Treasury guidance on annual 
report structure had changed and this did not seem to have 
been reflected in the parts of the ICO Annual Report and 
Accounts brought to the meeting at agenda item 10. The ICO 
confirmed that this was an error and that the new structure 
would be followed in future drafts. 


9.5. There was discussion on the timetable for development 
of the Annual Report and Accounts. Auditors were asked to 
advise members of any issues affecting their audit opinions 
with members (if they arose) as early as possible. 


10. ICO annual report and accounts 2015/16 


Audit Committee annual report 


10.1. The approach taken to drafting the Audit Committee 
Annual Report 2015/16 was agreed. The report would be 
amended to reflect the final audit opinions when available 
and would be brought to the June Committee meeting. 


Action point 6: Peter Bloomfield to bring an amended 
ICO Annual Report and Accounts to the next Audit 
Committee meeting for agreement. 


Early drafts of governance related sections of the ICO Annual 
Report and Accounts 


10.2. The Audit Committee confirmed that it did not expect 
issues that had not actually arisen to be covered in the 
governance related sections of the Annual Report. 


10.3. The treatment of SMT members in the Annual Report 
and Accounts was also discussed. The NAO had 
recommended that its members be included in the 
Remuneration Report. However there were concerns that this 
was excessive for the Head of Departments given the role of 
the team and its temporary nature. The Information 
Commissioner’s status as Corporation Sole and the fact that 
the Board and various other governance committees were 
advisory was also felt relevant. 


10.4. It was confirmed that the Commissioner, Deputy 
Commissioner’s, Deputy Chief Executive Officer and the Non- 
executive Directors should be included. 


Action point 7: The NAO, BDO and ICO to liaise over the 
treatment of the SMT in the Annual Report and 
Accounts and to report back to members as soon as 
possible on the decision. 


Timetable 


10.5. Discussion on the timetable for development of the 
Annual Report and Accounts had been covered in the 
previous agenda item. 


11. Fraud, whistleblowing and security incident report 


11.1. Simon Entwisle advised that whilst no personal data had 
been put at risk an issue had arisen which had led to 
concerns about internal ICO procedures and controls for 
managing use of IT. The assistance of internal audit might be 
appropriate here to look at the working of the internal 
controls. 


11.2. The Committee encouraged the use of internal audit to 
help look at this issue. 


12. Any other urgent business 
12.1. | There was no further business. 


